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Today,  safety  is  considered  to  be  of  highest  importance 
in  most  societies.  In  the  context  of  the  military,  safety  is 
essential  to  averting  loss  of  life  and  damage  to  a high- 
value  asset.  While  safety  may  take  second  place  to 
winning  a war,  its  importance  is  further  accentuated 
because  of  its  connotation  to  battlefield  readiness.  There 
have  been  numerous  instances  to  illustrate  this  last 
point.  To  wit: 

- Widespread  Fatigue  Damage  (WFD)  was 
discovered  in  “weep  holes”  of  fuel  tanks  of  some 
C- 141  military  transport  airplanes.  Because  of  the 
loss  of  minimum  residual  strength,  with  the 
attendant  risk  of  catastrophic  fracture  posed  by 
WFD,  the  entire  fleet  had  to  be  grounded  and  an 
expensive  refurbishment  program  had  to  be 
undertaken  before  the  fleet  was  deemed  to  be 
airworthy.  In  this  instance,  the  unsafe  condition  was 
detected  and  corrected  quickly,  so  no  lives  were  lost 
nor  did  any  of  the  airplanes  in  the  fleet  suffer 
catastrophic  damage.  However,  the  grounded 
aircraft  were  certainly  not  battle-ready  for  a certain 
length  of  time.  Had  they  been  sent  into  battle,  they 
would  have  had  to  be  operated  under  severe  flight 
restrictions  and,  thus,  their  utility  to  serve  the 
purpose  of  the  deployed  forces  would  have  been 
very  restricted.  Had  they  been  deployed  without 
any  restrictions,  in  all  probability  they  would  have 
been  unable  to  complete  their  missions  and  the  Air 
Force  could  have  lost  valuable  aircraft  assets.  Also, 
the  necessary  logistic  support  to  properly  carry  out 
tactical  operations  in  the  battlefield  would  not  have 
been  available. 

- WFD  was  the  primary  cause  of  a highly  publicized 
air  accident  involving  a commercial  aircraft.  The 
wide  publicity  given  to  that  single  accident,  abetted 
by  on-site  video  tape  recording  of  the  condition  of 
the  aircraft  after  it  had  landed,  shook  the  confidence 
of  the  public  in  the  safety  of  commercial  aviation. 
As  a result,  inspection  and  refurbishment  of  3000 
jet  transport  airplanes  among  a fleet  of  about  5000 
was  mandated  by  the  authorities,  to  be  undertaken 
on  an  urgent  basis.  The  economic  impact  of  this 
mandate  on  the  airlines,  the  aircraft  manufacturer 
and  the  flying  public  was  high  and  resulted  in 
numerous  complaints  to  the  regulatory  authorities. 
It  must  be  noted  that  since  that  time  more  than 
twelve  years  have  elapsed  without  a single  accident 
attributable  to  WFD. 

These  instances  explain  my  motivation  for  including  the 
subject  of  safety  during  this  Lecture  Series.  However. 


the  subject  is  extensive  and  so  many  books  have 
appeared  that  address  some  aspect  or  the  other  that  my 
remarks  are  meant  to  complement  the  existing  literature. 
Much  of  what  I intend  to  share  with  you  today  is  not 
something  1 have  developed  on  my  own.  rather  it  has 
been  influenced  by  my  comrades  and  peers  w'hen  I was 
in  the  civil  aviation  community. 

Scone  of  the  Lecture  - Analysis  and  Data 
Requirements  for  Assessment  of  Operational  Safety: 

An  aircraft  is  an  assemblage  of  complex  and  highly 
integrated  sub-systems  - the  structure,  the  power-plant, 
the  electrical,  the  mechanical,  and  hydraulic  systems, 
the  avionics  suite,  the  human-in-the-loop  to  name  a few. 
To  eliminate  the  risk  of  the  sub-systems  to  fail, 
individually  or  in  concert,  safety  analyses  are  routinely 
performed  by  aircraft  manufacturers.  The  manufacturer 
also  conducts  analyses  to  ascertain  the  consequence  of  a 
failed  part  to  assure  that  it  docs  not  in  any  way  threaten 
the  safety  of  the  entire  system. 

Before  an  aircraft  model  enters  service,  whether  for 
military  or  civil  use,  the  design  has  to  satisfy  a rigorous 
set  of  requirements,  which  are  governed  by  regulations. 
These  requirements  include  an  analysis  of  the 
probability  of  failure  of  each  component  and  the  hazard 
caused  by  the  failure.  This  subject,  termed  as  “Systemic 
Safety  [1],”  will  be  beyond  the  scope  of  this  lecture. 
Rather,  the  remarks  will  concentrate  on  the  operational 
phase  of  the  aircraft’s  life.  That  is  the  phase  subsequent 
to  the  aircraft  put  into  operational  use  for  the  first  time. 

However,  keep  in  mind  that  before  the  aircraft  enters  the 
fleet,  there  are  numerous  design  reviews,  ground  and 
flight  tests,  and  production  approvals  that  are  required  to 
assure  that  the  aircraft  is  safe  and  able  to  perform  as 
intended  in  the  operating  environment.  At  times,  the 
origin  of  problems  that  are  encountered  in  service  may 
be  inherent  in  the  design  or  the  manufacturing  stage  or 
due  to  construction  methods.  For  instance,  an  element  in 
the  chain  that  led  to  the  failure  of  the  commercial 
aircraft  mentioned  earlier  was  a failed  bond.  The  failed 
bond  resulted  from  an  inadequate  bonding  process.  It 
created  stress  risers  at  the  rivets,  which  were  designed  to 
merely  serve  as  secondary  conduits  for  transferring  load. 
The  resulting  fatigue  cracks  were  aggravated  by  loss  of 
material  due  to  corrosion,  resulting  in  intrusion  of 
moisture  from  condensation  and  precipitation.  Such 
problems  that  are  encountered  in  service  must  be 
quickly  corrected  in  order  to  prevent  accidents  and  to 
maintain  battle-readiness  of  the  fleet.  An  essential 
requirement  for  quick  resolution  of  these  type  of 
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problems  is  a technical  team  that  is  familiar  with  not 
only  the  design  features  of  the  aircraft  model  and  any 
subsequent  modifications  that  had  been  effected 
previously  but  also  the  original  design  philosophy  that 
guided  the  design.  Often,  it  is  beneficial  to  retain  some 
members  of  the  original  design  team  to  serve  in  the 
maintenance  group  in  order  to  maintain  the  necessary 
know-how. 

Measurement  of  Safety 

In  order  to  assess  safety  of  a system  after  it  enters 
service  one  must  define  safety  and  establish  a set  of 
metrics  (measurement  standards)  for  safety.  A metric 
may  be  the  number  of  failures  per  one  thousand 
operations,  or  it  may  be  an  incident  rate  or  an  accident 
rate.  Such  gross  metrics  are  normally  refined  by 
dividing  the  accidents  into  categories  by  causal 
relationships.  Furthermore,  metrics  are  often  normalized 
in  terms  of  usage.  In  any  event,  the  establishment  of 
safety  metrics  has  been  subjective,  to  say  the  least,  and  a 
bit  disorganized  from  the  standpoint  of  relating  the 
accident  cause,  the  events  leading  up  to  the  accident, 
and  the  design  fix.  The  problem  is  best  illustrated 
through  Figure  1,  and  2.  Both  figures  have  been 
extracted  from  publicly  released  Boeing  Airplane 
Company  documents  [2,  31.  They  depict  the  relative  risk 
of  an  accident  as  a function  of  the  phase  of  flight,  based 
on  historical  data.  Clearly,  if  miles  flown  is  chosen  as 
the  normalizing  factor  for  a safety  metric,  the  metric 
chosen  ignores  the  fact  that  risks  between  destinations 
involving  multiple  flight  legs  and  the  risk  involved  for  a 
single  leg,  for  the  same  distance  traveled,  are  unequal  - 
hence,  the  metric  would  be  inappropriate.  Similarly,  in 
the  assessment  of  military  aircraft,  the  hours  of 
operation  is  usually  chosen  as  the  normalizing  factor  but 
such  a choice  ignores  the  fact  that  the  mission  profiles 
could  be  vastly  different,  even  for  the  same  aircraft 
model  but  used  in  different  squadrons.  Thus,  the 
establishment  of  multiple  metrics  for  risk  using  the 
same  database  increases  the  opportunity  for  establishing 
a correlation  between  data  and  risk,  thereby  making  the 
safety  management  system  more  robust. 

Accidents  and  the  Role  of  Precursors: 

It  is  generally  agreed  that  there  exist  certain  precursors 
to  each  accident  and  incident.  If  one  of  these  precursors 
is  not  recognized  and  the  underlying  condition  that  has 
caused  it  is  not  corrected  in  time,  then  it  can  graduate 
into  an  incident  or  even  an  accident.  Aircraft  are  highly 
engineered  systems,  endowed  with  redundancies  and 
fail-safe  features.  They  are  “noisy”  systems.  That  is, 
they  can  give  so  many  indications,  of  which  only  a few 
are  precursors,  that  one  can  easily  be  lulled  into 
complacency.  Fail  safety  embraces  two  concepts.  One  is 
the  concept  that  the  first  failure  does  not  impair 
functionality  of  the  system.  The  second  is  that  the  first 
failure  must  be  obvious  to  the  extent  that  it  will,  in  all 
likelihood,  be  detected  well  before  the  onset  of 
subsequent  failures,  which  may  endanger  the  safety  of 
the  system.  Thus,  the  first  occurrence  of  a service 


difficulty  associated  with  a sub-system  in  an  aircraft  is  a 
prospective  precursor  of  progressive  failures  that  could 
result  in  an  incident  or  accident.  Furthermore,  multiple 
occurrences  of  service  difficulties,  especially  after 
corrective  actions  have  been  attempted,  are  indicators 
that  the  risk  of  an  incident  or  accident  is  rising.  To  take 
full  advantage  of  being  given  such  warnings,  the 
organization  responsible  for  safe  operation  of  the 
aircraft  must  systematically  collect  reports  of  service 
difficulties.  Just  as  importantly,  this  same  organization 
must  systematically  and  expeditiously  analyze  the 
reports  being  collected  to  establish  their  root  cause  of 
the  difficulty  or  difficulties  and  its  potential  for  a 
resulting  accident  or  incident.  The  analysis  must  be 
accomplished  early  in  order  to  allow  sufficient  lead-time 
for  corrective  action  to  be  taken.  Even  with  a service 
difficulty  collection  and  analysis  system  in  place,  the 
organization  will  be  unable  to  use  it  to  reduce  or 
eliminate  incidents  and  accidents  unless  higher 
management  in  the  organization  recognizes  their  value 
and  directs  development  and  implementation  of 
corrective  action.  Clearly,  improved  safety  will  result  if 
attention  is  more  focused  on  precursors. 

Detection  of  Service  Difficulty 

A Service  Difficulty  is  symptomatically  manifested  by 
one  of  the  following: 

Visual,  such  as  cracks,  warning  lights,  observation 
of  smoke,  etc. 

Aural,  such  as  alarms,  abnormal  sounds,  etc. 

Tactile,  such  as  excessive  vibration,  electrical 
shock,  stick  response,  etc. 

Olfactory,  such  as  fumes  from  electrical  systems  or 
oil  or  rubber,  etc. 

Response  to  transducer  devices  such  as  those  used 
for  nondestructive  inspection  of  structural 
components. 

Service  difficulties  can  manifest  themselves  during 
airworthiness  inspections  and  other  maintenance  related 
activities.  One  example  is  the  detection  of  a structural 
fatigue  crack  in  an  area  adjacent  to  the  area  being 
inspected.  The  maintenance  program  had  no  instructions 
for  inspecting  this  cracked  area.  Had  the  service 
difficulty  report  not  been  filed  on  this  crack,  and  had  a 
single  observant  authority  representative  not  discovered 
this  difficulty  report  and  investigated  it,  further  crack 
growth  in  this  area  and  other  aircraft  might  have 
occurred  and  graduated  into  something  serious. 

It  would  be  erroneous,  however,  to  draw  a correlation 
between  the  number  of  service  difficulty  reports 
generated  and  risk.  A large  number  of  reports  may  mean 
that  the  operational  and  maintenance  personnel  are  alert 
and  diligent  in  reporting  discrepancies,  not  necessarily 
that  the  risk  of  failure  is  rising.  In  this  case,  it  may 
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simply  be  a tribute  to  the  robustness  of  the  inspection 
and  maintenance  program.  Only  systematic  analysis 
performed  by  trained  and  knowledgeable  analysts  can 
correlate  the  risk  level  to  the  number  of  service 
difficulty  reporting  rates. 

Analysis  and  Data  Requirements 

There  is  a symbiotic  relationship  between:  (a)  the 
purpose  of  safety  analysis,  (b)  the  methodology  to  be 
used  for  evaluating  safety  (or  risk),  (c)  the  data  required 
to  perform  safety  analysis,  (d)  the  confidence  to  be 
reposed  in  the  results,  (e)  and  the  burden  of  the  data 
collection  effort.  All  five  aspects  will  have  to  be 
considered  in  concert  to  devise  a robust  system  that 
balances  system  costs  (figure  3). 

Safety  analysis  may  be  required  for  a variety  of 
purposes.  For  instance,  to  gage  the  general  health  or 
safety  of  the  fleet  would  require  a different  methodology 
and  could  be  accomplished  with  an  abbreviated  set  of 
data  elements  than  what  might  be  needed  for  a forensic 
analysis  of  an  accident  or  incident.  Thus,  the  circulation 
of  a questionnaire  among  the  various  groups  involved  in 
maintaining  safety  to  establish  the  connections  between 
analysis  methodologies  that  are  being  used  or  desired, 
and  the  respective  data  requirements  is  advocated. 

Aircraft  systems  are  becoming  more  and  more  complex, 
placing  more  sophisticated  demands  on  data  collection 
and  analysis  methods.  Also,  the  increased  attention 
being  given  to  safety  and  the  accompanying  demand  for 
data  driven  safety  programs,  makes  the  data  elements 
that  would  have  been  considered  adequate  in  the  past 
appear  as  lacking  in  precision  and  detail.  Thus,  the 
number  of  data  elements,  the  extent  of  detail  to  be 
included  in  any  gathering  effort,  and  the  configuration 
of  the  database  itself  should  be  designed  to  allow  for 
some  growth  in  data  requirements.  It  is  imperative  that 
an  organization  designing  a service  difficulty  reporting 
system  that  mandates  the  collection  of  certain  data 
elements  simultaneously  considers  the  analysis  to  be 
conducted  of  the  collected  data.  Many  existing 
databases,  such  as  the  Service  Difficulty  Reports  being 
maintained  by  the  Federal  Aviation  Administration  have 
come  in  for  criticism  [4],  These  databases  collect  many 
pieces  of  data  that  are  not  used  or  are  redundant.  Such 
databases  are  primarily  designed  to  facilitate  the 
collection  of  data  but  with  little  or  no  attention  being 
paid  to  the  needs  of  the  analyst  to  correlate  the  data  with 
the  airworthiness  of  the  individual  aircraft  or  the  fleet. 
Flence,  it  is  advocated  that  a safety  program  - any  safety 
program  - be  revisited,  perhaps  re-tuned,  every  five 
years,  both  from  the  viewpoint  of  currency  and 
adequacy. 

Avionics-related  malfunctions  may  have  serious 
implications  in  terms  of  safety  of  new  generation 
aircraft.  These  systems  are  being  given  more  authority 
over  primary  flight  control  of  the  aircraft.  Thus,  the 
reporting  of  associated  malfunctions,  defects,  and 
failures  become  more  critical  to  proactive  safety 


analysis.  Their  failures  during  any  phase  of  operation 
may  have  safety  implications.  In  any  event,  data  should 
be  collected  to  support  explicit  program  requirements. 
Terminology  such  as  “abnormal  or  emergency  actions” 
and  “endanger  the  safe  operation”  in  regulations  will  not 
provide  consistent  reporting  without  further  definition 
and  guidance. 

The  distinction  between  reliability  and  safety  is  much 
debated  in  the  context  of  data  requirements.  It  has  been 
argued  the  data  needed  for  performing  safety  analysis  is 
not  as  extensive  as  that  for  maintaining  reliability. 
However,  with  the  emergence  of  the  nearly  synonymous 
philosophies  of  Reliability-Based  Maintenance  and 
Condition-Based  Maintenance,  which  takes  the  risk  of 
failure(s)  into  account,  the  distinction  is  blurring. 

Hand-held  electronic  devices  have  eliminated  much  of 
the  paperwork  in  data  gathering.  Such  devices  make 
possible  the  gathering  of  voluminous  data  without 
making  the  data  gathering  effort  either  burdensome  or 
time  consuming.  In  fact,  the  development  of  software 
that  can  readily  depict  on  a hand-held  device  the 
geometrical  layout  of  components  as  well  as  the  inter- 
connectivity of  the  functional  units  would  make 
facilitate  acquisition  of  data  that  capture  more  details 
about  a malfunction  or  a failure  than  is  now  the  case. 
Electronic  entry  of  data  has  another  great  advantage, 
viz.,  it  avoids  data  corruption  due  to  transcription  errors 
and  expedites  the  addition  of  more  data  elements  to  the 
database. 

Data  Standards 

The  term  “data  quality”  can  at  once  mean  different 
things,  such  as  erroneous  data,  inconsistencies  in  the 
data,  insufficient  detail  that  has  been  captured  in  the 
data,  completeness  of  the  data  sets,  etc.  Each  of  the 
meanings  has  a bearing  on  safety.  For  instance,  there  is 
a wealth  of  data  about  instances  of  cracking  in  airframe 
structures  but  they  are  not  very  useful  because  of  lack  of 
precision  and  standardization.  From  the  standpoint  of 
systematic  analysis  of  large  quantities  of  data,  the  most 
important  attribute  of  a safety  related  database  is 
consistent  reporting.  The  adoption  of  a common 
terminology  is  one  aspect  of  consistency.  Clarity  of 
terminology  is  a related  aspect.  A critical  need  for  data 
that  is  stored  in  relational  databases  is  that  fields  should 
be  assigned  in  each  data  record  (report)  to  allow  for 
supplementary  comments  by  the  mechanic.  The  FA  A 
maintains  one  of  the  largest  safety  database  in  the  world, 
the  Service  Difficulty  Reporting  (SDR)  System. 
However,  because  the  SDR  is  a relational  database,  no 
provision  has  been  made  for  supplementary  notes.  For 
instance,  the  database  does  not  allow  the  mechanic  to 
record  the  specific  location  of  a crack,  even  if  one  is 
found  in  a principal  structural  element.  As  a result, 
many  users  rely  on  the  SDR  system  only  to  confirm 
critical  problems  that  have  already  been  found  or 
suspected  - not  to  give  precursory  evidence  of  potential 
incidents  or  accidents. 


Table  1 exemplifies  a form  for  data  recording,  which 
would  make  possible  supplementary  notes  to  be  made 
by  the  mechanic  or  inspector.  The  form  for  reporting 
incidents  was  devised  by  an  internal  FAA  team,  of 
which  the  author  was  a member.  The  data  requirements 
for  reporting  service  difficulty  can  be  developed  in  an 
analogous  fashion. 

In  the  military  context,  harmonization  of  data  standards 
with  our  NATO  allies  will  inevitably  result  in  more 
robust  safety  systems  for  all  concerned.  Also,  since  the 
occurrences  of  many  types  of  malfunctions  arc  rare, 
harmonization  will  allow  data  to  be  shared  between 
nations  that  operate  similar  aircraft  systems  and  increase 
the  data  pool,  thereby  decreasing  uncertainty  inherent  in 
statistics-based  analysis  schemes. 

Completeness  of  data,  whether  the  entry  relates  to 
deviation,  malfunction,  or  wear  is  nearly  as  important. 
The  need  to  report  and  record  every  deviation  from  the 
norm,  even  though  the  vast  majority  of  cases  are  benign, 
cannot  be  over-emphasized.  It  is  also  essential  for  the 
analyst  (or  analysis  group)  to  promptly  acknowledge 
receipt  of  each  report  and,  once  the  analysis  of  a report 
is  complete,  to  communicate  the  results  to  the 
maintenance  group.  Otherwise,  the  latter  group  may  lose 
faith  in  the  system. 

Data  Archival  and  Retrieval 

An  efficient  database  storage  system  has  to  take  into 
account  several  factors.  Simultaneous  access  to  multiple 
users  may  be,  one  requirement.  Inclusion  of  pictures,  and 
documents  in  the  database  may  be  another.  There  are 
several  ways  to  store  and  present  data  and  several  types 
of  database  management  systems  (DBMS)  have  been 
devised  and  are  commercially  available.  In  choosing  the 
right  type  of  DBMS  it  is  important  to  consider  the 
capability  of  a typical  user  and  the  purpose  underlying 
the  use  of  the  data.  For  safety  analyses  purposes,  the 
DBMS  should  be  capable  of  storing  and  manipulating 
complex  objects  and  data  types  efficiently.  The  most 
suitable  type  and  currently  available  DBMS  are  the  ones 
known  as  object-oriented  DBMS.  Such  relational 
databases  allow  for  computer-aided  searches  and  sorts 
that  are  simple  to  implement  , allowing  the  user  to 
concentrate  on  deriving  the  information  he  or  she  is 
seeking  rather  than  focusing  on  the  design  of  the 
database  extraction  tool.  On  the  other  hand,  if  one  is 
willing  to  invest  in  more  complex  search  engines,  the 
database  may  need  to  be  less  structured  and  therefore 
conLain  much  more  information.  An  explanation  of  the 
various  types  of  DBMS  can  be  found  in  reference  [5], 
Even  object-oriented  DBMS  have  their  drawbacks  and, 
thus,  the  entire  subject  deserves  research  attention. 

Analysis  Methods 

Service  difficulty  data  can  be  used  for  a variety  of 
purposes  and  in  a variety  of  ways.  The  common  thread 
that  runs  through  all  of  them,  however,  is  risk 
mitigation.  Obviously,  the  criticality  of  the  component 


associated  with  the  data,  the  number  of  incidences  of 
failure,  the  consequences  of  failure,  the  method(s)  used 
for  analysis,  the  confidence  band  inherent  in  the  analysis 
results,  and  the  statistical  character  of  the  occurrence  are 
inextricably  related. 

Accidents  and,  to  a lesser  extent,  incidents  and 
malfunctions  typically  involve  a chain  of  events.  The 
chain  may  simultaneously  involve  a design  deficiency,  a 
defect  induced  during  the  manufacturing  process, 
improper  maintenance  or  other  human  factors.  Some 
aspects  that  are  frequently  involved  are  given  in  Table  2. 

It  has  been  argued  that,  since  many  factors  are  involved 
in  causing  an  incident  or  accident,  the  safety 
management  system  should  be  highly  centralized.  The 
author  would  argue  in  favor  of  the  opposite,  mainly 
because  the  safety  system  would  be  redundant  and, 
hence,  more  robust.  The  responsibility  for  safety  should 
be  divided  into  sub-groups,  whose  prime  responsibilities 
are  related  to  maintenance  or  air  traffic  control  or  some 
other  factor  identified  in  the  table.  Each  group  should  be 
persuaded  to  believe  that  they  are  ultimately  responsible 
for  safety  and  each  group  should  be  allowed  to  devise 
their  own  system  for  monitoring  risk.  Of  course,  each 
such  group  will  be  much  better  versed  in  their  own 
specialty  and  might  tend  to  give  greater  attention  to  it. 
On  the  other  hand,  it  can  be  argued  that  they  will  tend  to 
take  less  for  granted  in  other  specialty  areas  and 
therefore  subject  them  to  greater  scrutiny. 

If  the  aforementioned  view  is  accepted,  it  would  follow 
that  each  group  will  have  different  data  requirements. 
The  latter  can  be  fulfilled  with  relative  ease  by 
customizing  data,  but  which  is  drawn  from  the  same 
master  data  pool. 

One  example  of  an  extensive  and  well-disciplined 
service  difficulty  reporting  and  collection  system,  as  has 
been  previously  mentioned,  is  that  being  maintained  by 
the  FAA.  Unfortunately,  the  FAA  does  not  have  the 
means  to  systematically  analyze  the  data  reported, 
which  purportedly  is  not  all-inclusive.  Instead,  it  does  so 
in  an  ad-hoc  manner.  That  is,  it  researches  the  database 
to  seek  service  difficulties  that  indicate  the 
pervasiveness  of  a fault  in  the  aircraft  fleet.  Such 
searches  are  carried  out  after  the  problem  has  been 
brought  to  the  attention  of  the  authority  through  other 
means,  such  as  an  incident  or  an  accident.  However,  the 
efforts  of  the  FAA  are  a valuable  adjunct  to  the  safety 
analysis  efforts  by  industry.  Moreover,  the  SDR 
database  is  accessible  to  other  users,  such  as  aircraft 
manufacturers  and  operators,  who,  because  of  their 
focus  tend  to  be  more  systematic  in  the  analysis  of  the 
data. 

Causal  Analysis 

Causal  analysis  of  an  accident  or  incident  seeks  to 
establish  those  factors  that  were  judged  to  be  directly 
responsible  in  causing  the  event  (primary  causal  factors) 
and  those  that  contributed  to  the  event  (secondary  causal 
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factors)  by  deconstructing  the  accident.  For  these  causal 
factors,  a causal  chain  can  usually  be  established  for 
each  accident  or  incident  [6],  The  advantage  of  causal 
chain  analysis  is  that  in  the  case  of  multiple  causes  and 
multiple  accidents  or  incidents,  the  common  events  or 
elements  in  the  chain  can  be  identified  and  subjected  to 
greatest  attention.  Thus,  the  safety  system  can 
concentrate  on  those  common  events  and  maximize  its 
responsiveness  and  effectiveness  in  for  cutting  down- 
times, and  reducing  or  eliminating  accidents.  The 
perceived  disadvantage  of  this  approach  is  that  it  is 
reactive  rather  than  proactive.  That  is,  the  regulating 
authority  and  the  industry  (or  the  military  operators) 
seek  to  eliminate  the  causal  factor  after  the  accident  in 
order  to  prevent  accidents  due  to  the  same  cause  from 
happening  again. 

Causal  analysis  does  have  an  advantage  over  simulation 
and  technical  conjecture  in  that  it  is  based  on  factual 
data  rather  than  models  that  mimic  a hypothetical  event 
or  engineering  judgement,  which  relics  on  the 
knowledge  base  and  experience  of  the  technical  team. 
Moreover,  as  has  already  been  mentioned,  in  today’s 
aviation  industry,  it  is  difficult  to  retain  an  engineering 
team  that  is  intimately  familiar  with  the  continuous 
changes  in  the  aircraft  design  after  production  begins. 

The  causal  analysis  approach,  however,  also  suffers 
from  the  disadvantage  that  the  analysis  has  a good 
measure  of  subjectivity,  both  in  regard  to  the  list  of 
factors  and  their  relative  contributions.  Also,  due  to  the 
intcr-dependencies  of  the  various  factors,  such  as  those 
listed  in  Table  2,  that  are  frequently  encountered,  the 
relative  weights  ascribed  to  the  various  causal  factors 
can  vary  a great  deal,  as  a function  of  the  analyst.  Thus, 
an  intimate  knowledge  of  the  aircraft  system  is  a 
prerequisite  for  someone  engaging  in  causal  analysis. 
The  challenge  of  managing  aircraft  safety  is  identify  and 
focus  on  truly  hazardous  conditions,  so  they  can  be 
eliminated  before  a potential  accident  becomes  a reality. 

Trend  Analysis 

One  simple  and  effective  method  is  used  in  the  Aviation 
Safety  for  Accident  Prevention  (ASAP)  program  that  is 
used  by  the  FAA’s  Rotorcraft  Directorate  in  Ft.  Worth, 
Texas.  The  program  selects  components  that  fail  by  part 
numbers.  For  each  part,  it  reviews  the  service  history  for 
3,  6,  12  or  24  months  periods.  Based  on  the  counts  of 
service  difficulty  reports  involving  the  part  number,  it 
predicts  trends. 

A risk  level  is  assigned  to  each  report.  ASAP  has  the 
ability  to  quickly  research  whether  an  accident  had  a 
service  difficulty  history.  For  example,  responding  to  a 
fatal  accident  involving  the  tail  rotor  driveshaft,  the 
analyst  was  able  to  track  part  numbers,  and  identify  five 
service  difficulty  reports  that  had  found  the  part  to  have 
been  worn  beyond  limits,  and  contained  cracks  or 
corrosion.  Two  of  the  reports  described  the  results  of 
inspection  to  be  a sheared  tail  rotor  driveshaft.  Based  on 
the  accident  and  the  supporting  trend  indicated  by  the 


service  history,  the  Authority  issued  an  Airworthiness 
Directive  (AD).  A year  after  the  issuance  of  the  AD 
there  were  no  more  service  difficulty  reports,  citing  that 
particular  part  was  reported.  But,  more  importantly,  the 
incidence  of  sheared  rotor  drive  shafts  has  been 
drastically  reduced.  However,  ASAP  has  one  drawback: 
usage  of  ASAP  is  not  yet  proactive  in  that  the  analyst 
must  be  prompted  by  an  event,  such  as  an  accident  or 
incident  to  conduct  trend  analysis  on  a given  part  or 
component. 

Monitoring  of  Safety  Through  Performance 
Indicators 

The  FAA’s  Flight  Standards  Service  has  developed  a 
heuristic-based  system  called  Safety  Performance 
Analysis  System  (SPAS),  primarily  for  the  benefit  of 
their  corps  of  safety  inspectors.  They  started  building 
the  system  by  getting  teams  of  highly  experienced  and 
proficient  inspectors  together,  with  each  inspector 
identifying  the  parameters  that  he  or  she  uses  during 
surveillance  of  an  operator  or  a repair  station  facility. 
Each  team  discussed  each  of  the  identified  parameters 
and  developed  a consensus  about  the  relative 
importance  of  the  parameters  that  must  be  scrutinized. 
Next,  the  parameters  were  weighted  according  to  their 
perceived  importance  and  aggregated  into  groups,  with 
each  group  being  termed  as  an  “indicator."  The 
advantage  of  a system  that  is  based  on  indicators  is  that 
pools  the  knowledge  and  experience  of  the  “gray 
beards”  or  the  mure  experienced  inspectors  in  the 
regulating  Authority  for  use  by  the  younger,  less- 
experienced  inspectors.  Hence,  it  focuses  attention  on 
what  is  a warning  rather  than  on  events  that  are  merely 
“noises.”  The  disadvantage  is  that  a rational  derivation 
of  threshold  values,  which  signal  caution  or  even 
danger,  is  not  possible. 

A variation  of  the  idea  of  performance  indicators  as 
measures  of  safety  is  proposed  by  the  author.  It  is  based 
on  “wiring  diagrams”  of  sub-systems  being  used  in 
conjunction  with  the  concept  of  indicators.  In  the 
pristine  condition,  every  cell  in  the  wiring  diagram 
would  be  colored  white.  When  a failure  of  a certain  part 
occurs,  the  analyst  assesses  the  criticality  of  the  part  to 
flight  safety  and  assigns  a hue  to  that  part  (cell)  in  the 
wiring  diagram.  A deeper  hue  or  color  would  signify 
that  the  part  has  a relatively  high  criticality.  The  wiring 
diagram  is  constantly  updated  by  adding  more  color  to 
the  particular  part  to  reflect  arrival  of  new  service 
difficulty  reports.  Two  events  will  attract  the  attention 
of  the  analyst.  The  first  is  the  depth  of  the  hue  of  a 
certain  cell  and  the  second  is  the  contiguity  of  cells  (the 
ones  that  are  sequentially  tied  or  represent  the  redundant 
feature),  in  terms  of  their  function,  that  are  hued.  The 
idea  is  based  on  the  recognition  of  the  fact  that  in  both 
cases  the  risk  of  sub-system  failure  is  increasing,  and 
that  the  wiring  diagram  pictorially  represents  the  rise.  In 
fact,  it  would  be  relatively  easy  to  convert  the  logic  into 
a computer  code  that  automatically  raises  a flag  in  either 
case,  which  cannot  escape  the  attention  of  the  analyst. 
Also,  different  colored  flags  may  be  set  up  to  indicate 
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the  level  of  alert.  The  scheme  will  also  need  to  take  into 
account  replacement  or  re-design  of  the  part,  or  the  sub- 
assembly  itself.  That  is  also  easily  done  by  washing  out 
the  color  in  the  particular  cell  representing  the  part  or  in 
the  block  of  cells  if  the  sub-assembly  has  been 
redesigned  or  refurbished 

Probabilistic  Risk  Analysis 

Several  probabilistic  approaches  to  safety  have  been 
proposed  [7  ] . However,  such  approaches  are  not  looked 
upon  with  enthusiasm  because  no  one  wants  to  look 
upon  safety  management  in  a manner  that  resembles  a 
game  of  chance.  However,  there  are  at  least  two  major 
advantages  of  a probabilistic  approach.  First,  it  takes 
into  account  the  variability  in  the  data  as  well  as  the 
trends  in  the  number  of  occurrences.  It  also  provides  for 
considering  the  relationship  between  seemingly 
unrelated  occurrences.  The  analyst  must  examine  the 
estimated  probability  of  an  accident,  given  a high 
probability  of  the  occurrence  of  service  events,  and 
determine  if  intervention  is  required.  A unique 
advantage  of  the  probabilistic  approach  over  a 
deterministic  approach  is  that  it  enables  the  Authority  or 
the  SafetyOffice  in  the  military  to  focus  on  the  most 
likely  causes  of  hypothetical,  future  accidents,  and 
prevent  them.  By  far  the  most  important  advantage  is 
that  it  enables  the  Authority,  and  the  operators,  to  get 
ahead  of  the  power  curve  - that  is,  to  correct  the 
condition  before  the  first  accident  occurs. 

Concluding  Remarks 

As  new  technology  is  inducted,  aircraft  systems  will 
inevitably  become  more  complex.  New  technology 
generally  means  better  performance  and  lower  costs  but 
there  might  be  safety-related  challenges  as  well.  Also, 
increased  usage  and  operating  missions  beyond  what 
was  envisaged  in  the  design  stage  will  magnify  the 
accident  rate  as  well  as  the  fatalities,  injuries,  or  losses 
of  high-value  assets.  Safety  systems  will  need  to  be 
more  sophisticated  and  better  methods  of  analysis  will 
need  to  be  employed.  Authorities,  and  in  the  case  of  the 
military  - themselves,  will  need  to  focus  more  on 
preventing  accidents  due  to  service  related  events  rather 
than  using  service  data  to  confirm  the  analysis  of 
accidents  that  have  already  happened. 


Concomitantly,  more  extensive  data  require-ments  and 
data  archival  systems  will  need  to  be  engineered.  Thus, 
the  cost  of  maintaining  a high  level  of  safety  is  bound  to 
rise  but  the  cost  due  to  not  having  an  effective  system 
will  be  many  times  greater.  Safety  of  highly  engineered 
systems,  like  aircraft,  has  a high  price  tag  but  the 
alternative  will  prove  to  be  much,  much  more 
expensive. 
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TABLE  1:  EXAMPLE  OF  A FORM  FOR  RECORDING  AN  INCIDENT 
BATCH# I.D.  # 


REV.  DATE  ANALYST  REVIEWER 

0  / / 

1  

2  

3 /___/_  


EVENT  ID  NUMBER 


YY  MM  DD  SE 


TIME  OF  EVENT:  (SELECT  ONE) 

UNKNOWN  

UT  

LOCAL  TIME  


EVENT  CLASSIFICATION: 

HAZARDOUS 

MAJOR 

MINOR 

DAMAGE 


LOCATION: 

DEPARTURE  AIRPORT_ 
DESTINATION  AIRPORT 

EVENT  LOC.  (CITY)  

COUNTRY  (EVENT)  

LAT/LONG 

UNKNOWN 


AIRCRAFT: 

TYPE-SERIES 

A/C  MAKE 

FUSELAGE  NO. 

DATE  MANUFACTURED 

TAIL  NUMBER 

SERIAL  NUMBER 

ENGINE  MAKE 

ENGINE  MODEL(S) 

ENGINE  SERIAL  NO(S).  _ 
FLIGHT  NUMBER 


TYPE  OF  MISSION:  (SELECT  UP  TO  2) 
SCHEDULED  PAX  CARGO 

UNSCHEDULED  PAX  FERRY 

FLIGHT  TEST  TRAINING 

UNKNOWN 
MAINT 

AIRLINE/OPERATOR: 

OPERATOR  NAME 

OPERATOR  OAG  CODE 


METEOROLOGICAL/ENVIRONMENT  CONDITIONS: 

IMC/VMC VERTICAL  TURBULENCE. 

HAZE 

HAIL 


CLOUD  CEILING  FT  OR  M_ 
LIGHT  CONDITIONS 
DAY/NIGHT/DUSK/DAWN. 

VISIBILITY  FT,  M,  MI 

WIND:  DIRECTION 

VELOCITY  IN  KTS 


TEMPERATURE  F OR  C . 

MICROBURST 

CAT 


BIRDS 

SNOW/SLUSH, 

SAND/ASH 

THUN  STRMS_ 
LIGHTNING 


OTHER  WEATHER 

ICE/RAIN/FOG/GUSTS . 


WINDSHEAR 


BOARDING 
CARGO  LOADING 
ENGINE  START 
TAXI 
TAKE  OFF 
ROLL 
ROTATION 
INIT  CLIMB 
GO  AROUND 
DURING  DIVERT 


PHASE  OF  OPERATION 
DESCENT 
APPROACH 
INITIAL 
FINAL 
LANDING 

FLARE  & TOUCHDOWN 
ROLL 

TOUCH  AND  GO 
CRUISE 


DEBOARDING 

PARKED 

REFUELING 

INSPECTION 

TOWED 

SERVICING 

UNKNOWN 

CLIMB  TO  CRUIS 

TAXI 
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HARDWARE  INVOLVED  IN  INCIDENT:  ATA  CODE /_/_ 

NAME  

MODEL  

MAKE  

LOCATION 

PART  NUMBER 

TOTAL  TIME 

TIME  SINCE  O/H 

CYCLES  SINCE  O/H. 
TOTAL  CYCLES 

TYPE  OF  HUMAN  MACHINE  INTERFACE  ERROR 
Suggest  that  a coded  list  be  developed  that  is  similar  to  ATA  codes 

NAT.  AVIATION  SYSTEM  (NAS):  TBD 

FLIGHT  CREW  EXPERIENCE 

CAPTAIN 

TIME  IN  TYPE  ACFT 

FIRST  OFFICER 

TIME  IN  TYPE  ACFT 

SECOND  OFFICER 
TIME  IN  TYPE  ACFT 


DATA  SOURCES: 

FLIGHT  CREW ATC 

MAINTENANCE CAA 

OPERATOR FLT INT 

MANUFACTURER FLIGHT  SAFETY  FOUNDATION 

NTSB NEWS 

WAAS AIRCLAIMS 

OTHER 

BRIEF  DESCRIPTION:  

Describe  the  event/situation.  Keeping  in  mind  the  following  topics,  discuss  those  which  you  feel  are  relevant  and 
anything  else  you  think  is  important.  Include  what  you  believe  really  caused  the  problem,  and  what  can  be  done  to 
prevent  a recurrence,  or  correct  the  situation.  (USE  ADDITIONAL  PAGES  IF  NECESSARY) 

1.  CHAIN  OF  EVENTS  2.  HUMAN  PERFORMANCE  CONSIDERATIONS 

Perceptions,  judgements,  decisions 
Factors  affecting  the  quality  of  human  performance 
Actions  or  inactions 
Lack  of  positional  awareness 
Lack  of  awareness  of  circumstances 
of  flight 

Incorrect  selection  on  instrument/navaid 
Action  on  wrong  control/instrument 
Slow/delayed  action 
Omission  of  action/inappropriate  action 
Fatigue 
State  of  mind 

Lack  of  qualification/training/experience 
Incapacitation/medical  or  other  factors 
reducing  crew  performance 
Deliberate  non-adherence  to  procedures 
FULL  NARRATIVE:  

ANALYST  COMMENTS: 

Factors  Relevant  to  Incident 

(Each  incident  usually  has  more  than  one  factor) 


How  the  problem  arose 
Contributing  factors 
How  was  it  discovered 
Corrective  actions  taken 
System  configurations  and 
operating  modes 
What  procedures  were  used 
How  did  you  decide  what  to  do 
What  stopped  the  incident  from 
becoming  an  accident 
Failure  in  Cockpit  Resource 
Management  Fatigue 


PILOT  IN  COMMAND 
TOTAL  FLYING  TIME 

TOTAL  FLYING  TIME 

TOTAL  FLYING  TIME 
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Group  Factor  No.  acc. 

A. Causal  factors 

A.  I Aircraft  systems  1.1  System  failure  - affecting  controllability 

1.2  System  failure  - flight  deck  information 

1.3  System  failure  - other 

A. 2 ATC/Ground  aids  2.1  Incorrect  or  inadequate  instruction/advice 

2.2  Misunderstood/missed  communication 

2.3  Failure  to  provide  separation  - air 

2.4  Failure  to  provide  separation  - ground 

2.5  Ground  aid  malfunction  or  unavailability 

A. 3 Environmental  3.1  Structural  overload 

3.2  Wind  shear/upset/turbulence 

3.3  Icing 

3.4  Wake  turbulence  - aircraft  spacing 

3.5  Volcanic  ash/sand/precipitation  etc. 

3.6  Birds 

3.7  Lightning 

3.8  Runway  condition  unknown  to  crew 

A.4  Crew  4. 1 Lack  of  positional  awareness  - in  air 

4.2  Lack  of  positional  awareness  - on  ground 

4.3  Lack  of  awareness  of  circumstances  in  flight 

4.4  Incorrect  selection  on  instrument/navaid 

4.5  Action  on  wrong  control/instrument 

4.6  Slow/delayed  action 

4.7  Omission  of  action/inappropriate  action 

4.8  “Press-on-Us” 

4.-9  Failure  in  CRM  (cross-check/co-ordinate) 

4. 1 0 Poor  professional  judgmenls/airmanship 

4.11  Disorientation 

4.12  Fatigue 

4.13  State  of  mind 

4. 14  Interaction  with  automation 

4.15  Fast  and/or  high  on  approach 

4.16  Slow  and/or  low  on  approach 

4.17  Loading  incorrect 

4. 1 8 Flight  handling 

4. 19  Lack  of  qualification/training/experience 

4.20  Incapacitation/medical  or  other  factors  reducing  crew 

performance 

4.21  Failure  in  look-out 

4.22  Deliberate  non-adherence  to  procedures 

A.5  Engine  5.1  Engine  failure 

5.2  Propeller  failure 

5.3  Damage  due  to  non-containment 

5.4  Fuel  contamination 

5.5  Engine  failure  simulated 

A.6  Fire  6. 1 Engine  fire  or  overheat 

6.2  Fire  due  to  aircraft  systems 

6.3  Fire  - other  cause 

6.4  Post  crash  fire 

A.7  Maintenance/  7.1  Failure  to  complete  due  maintenance 

ground  handling  7.2  Maintenance  or  repair  error/oversight/inadequacy 

7.3  Ground  staff  struck  by  aircraft 

7.4  Loading  error 

7.5  SUPS  - Suspected  Unapproved  Parts 

7.6  Unapproved  Parts 
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Group  Factor  No.  acc. 


A. Causal  factors 


A.  8 Structure 

8. 1 Corrosion/fatigue 

8.2  Overload  failure 

8.3  Flutter 

A.9  Infrastructure 

9. 1 Incorrect,  inadequate  or  misleading  information  to  crew 

9.2  Inadequate  airport  support 

A.  10  Design 

10.1  Design  shortcomings 

10.2  Unapproved  modification 

10.3  Manufacturing  defect 

A.  11  Performance 

11.1  Unable  to  maintain  speed/height 

1 1.2  Aircraft  becomes  uncontrollable 

A.  12  Other 

12.1  Caused  by  other  aircraft 

1 2.2  Non-adherence  to  cabin  safety  procedures 

B, Circumstantial  factors 


B.  1 Aircraft  systems 

1 . 1 Non-fitment  of  presently  available  safety  equipment 
(GPWS,  TCAS,  windshear  warning,  etc.) 

1 .2  Failure/inadequacy  of  safety  equipment 

B.2  ATC/ground  aids 

2.1  Lack  of  ATC 

2.2  Lack  of  ground  aids 

B.3  Environmental 

3. 1 Poor  visibility 

3.2  Other  weather 

3.3  Runaway  condition  (ice,  slippery,  standing  water,  etc.) 

B.4  Training 

4.1  Training  inadequate 

4.2  Presented  with  situation  beyond  training 

4.3  Failure  in  CRM  (cross-check/co-ordinate) 

B.5  Infrastructure 

5. 1 Incorrect/inadequate  procedures 

5.2  Company  management  failure 

5.3  Inadequate  regulation 

5.4  Inadequate  regulatory  oversight 

C. Consequences 

C.l  Controlled  flight  Into  Terrain  (CFIT) 

C.2  Collision  with  terrain/water/obstacle 

C.3  Mid-air  collision 

C.4  Ground  collision  with  other  aircraft 

C.5  Ground  collision  with  object/obstacle 

C.6  Loss  of  control  in  flight 

C.7  Fuel  exhaustion 

C.8  Overrun 

C.9  Undershoot 

C.10  Structural  failure 

C.  1 1 Post  crash  fire 

C.  1 2 Fire/smoke  during  operation 

C.l  3 Emergency  evacuation  difficulties 

C.  1 4 Forced  landing  - land  or  water 

C.l 5 Other  cause  of  fatality 


D.  Unknown 

Level  of  confidence  High  Medium  Low  Insufficient 

Information 


Note:  Acts  of  terrorism  and  sabotage,  test  and  military-type  operations,  and  fatalities  to  third  parties  not  caused  by  the 
aircraft  or  its  operation  are  excluded. 
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TABLE  2:  ASPECTS  THAT  CAN  ADVERSELY  AFFECT  SAFETY 

Design  Manufacturing  Maintenance 

New  Technology  Technological  Obsolescence  Human  Factors 

Repair  Unwitting  Exceedances  Configuration  Management 

Flight  Operations  Air  Traffic  Control  Adverse  Environment 

Software  Training  Records 

Regulations  Environmental  Rules  Unapproved  Parts 

Hazardous  Cargo/Stores 


Figure  1. 


Accidents  and  Onboard  Fatalities  by  Phase  < |ht 
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Figure  3.  Elements  Associated  With  Service  Difficulty  Related  Activities 


